The strong cryptography settings allow the server to be configured to force strong encryption to be used in SSL sessions (as in https). Client mode (when the proxy server initiates the SSL session) and server mode (when the proxy server accepts an SSL session from another machine) can be configured separately. The default is to not force the use of strong cryptography in either mode.
The configuration can be done from the iChain Proxy Server system console using the following commands:
set authentication strongserverenable = (yes/no)
No: Clients can initiate an SSL session with the proxy server using weak or strong cryptography.
Yes: Clients must initiate an SSL session with the proxy server using strong cryptography, or the session fails.
set authentication strongclientenable = (yes/no)
No: The proxy server initiates an SSL session with another server using any cryptography that server supports (strong or weak).
Yes: The proxy server only initiates an SSL session with another server using strong cryptography; if unsupported by the other server, it will fail.
Applying these settings stores them in the ISO object and creates a nile.cfg file. This file is read by nile.nlm at startup, so the server must be restarted for these settings to take effect.
Weak cryptography: Encryption is done with key sizes less than 128 bits.
Strong cryptography: Encryption is done with key sizes of 128 bits or larger.
This section discusses the Federal Information Processing Standards (FIPS) option, including how to turn this option on or off, and the cipher options that go with it.
To turn on the FIPS option in iChain, add the following load command line before “load proxy” in the appstart.ncf:
Syntax: load nile {-|/}{F|f}
The following are examples of this syntax:
load nile -F
load nile -f load nile /F load nile /f
The original appstart.ncf:
. . . . . load dbypass load proxy load caconfig . . . . .
The updated appstart.ncf:
. . . . . load dbypass load nile /F load proxy load caconfig . . . . .
To turn this option off, users can either delete the load nile /F line or remove the /F option.
After updating the appstart.ncf when turning the option on or off, you need to restart the iChain server for the update to become effective.
iChain supports the following cipher options for FIPS:
For the server side (from the viewpoint of the browser):
SSL_RSA_WITH_DES_CBC_SHA (weak)
SSL_RSA_WITH_3DES_EDE_CBC_SHA (strong)
For the client side (from the viewpoint of the Web server):
SSL_RSA_WITH_DES_CBC_SHA (weak)
SSL_RSA_WITH_3DES_EDE_CBC_SHA (strong)
For information on how to configure weak or strong cryptography, see Section 20.1, Using Strong Cryptography.